Compared to Windows 2000, the new implementation of the Encrypting File System (EFS) in Windows XP/2003 has some pitfalls. Zubair Alexander examines these issues and provides some pointers for planning an EFS strategy for your business environment.

From the author of

From the author of

The Encrypting File System (EFS) in Windows XP and Windows 2003 includes
several features that were not included in the Windows 2000 EFS. In this
article, we'll look at the major differences between the Windows 2000 EFS
implementation (let's call it "the older EFS") and the Windows
XP/2003 implementation ("the newer EFS"). We'll focus on the way
in which Microsoft implements the newer EFS, as well as various EFS issues such
as resetting users' forgotten passwords and RAS users getting Access Denied
error messages.

At the end of this article, I offer some recommendations for planning a
business EFS strategy to ensure that you don't lose your important data.
Data that's important enough for you to encrypt had better not be lost due
to incorrect implementation!

New Features of EFS

Compared to Windows 2000, the newer EFS version in Windows XP and Windows
Server 2003 includes several changes. Here's a list of some of the new
features:

Encrypted files are marked green so you can easily distinguish
them.

In Windows Explorer, choose Tools, Folder Options. On the View tab, select
the option Show Encrypted or Compressed NTFS files in Color. This setting makes
compressed files appear in blue and encrypted files in green.

You can share your encrypted files with other
individuals.

You can share encrypted files with other individuals, but not groups. A user
with whom you want to share encrypted files must have an encryption certificate
on your computer. This can be achieved by a couple of methods: The user can log
onto your computer and encrypt a file; or a network user can simply export his
or her certificate and you can then import the certificate on your computer.

EFS offers a client-side caching that's used with the offline
folders feature.

This feature is useful for mobile computers because users can work on files
even when not connected to the network. The files are cached on the user's
hard drive. When the user reconnects to the network, the local files are
synchronized with the files on the network. Unlike Windows 2000, both Windows XP
and Windows Server 2003 let you encrypt offline files.

EFS offers kernel-mode FIPS-compliant cryptography.

Federal Information Processing Standard 140-1 (FIPS 140-1) and FIPS 140-2 are
U.S. government standards that provide a benchmark for implementing
cryptographic software. Some U.S. government agencies purchase only products
that are FIPS-compliant. In Windows XP/2003, you can use a group policy option
called system cryptography: Use FIPS compliant algorithms for encryption
to configure clients to be FIPS-compliant.

Files can be encrypted even if there's no Data Recovery Agent
(DRA).

Unlike Windows 2000, the newer version of EFS allows encryption of files even
without a DRA.

Now that we've looked at some of the new features in EFS, let's
closely examine some of the issues related to encryption in Windows 2000 and
Windows XP.